Real-World Punch More Effective Than Cyber Punch
A cyber strike may not be the most effective deterrent against adversaries, Tom Bossert, assistant to the president for homeland security and counterterrorism, National Security Council, told the audience at the 2017 Intelligence and National Security Summit in Washington, D.C.
If a “bad actor” is engaging in increasingly unacceptable behavior, he said, “I think what we’ll have to do is punch him in a way that’s real-world and not cyber-world.” Deterrent actions will be “commensurate with the expense” and also will be done in such a way that it will not “create a long-term escalatory posture.”
Actually, he added, an offensive U.S. cyber strike may be counterproductive. “There’s very little reason to believe an offensive cyber attack is going to have any deterrent effect on a cyber adversary. In fact, it’s going to encourage them to hurry up and become better hackers and develop better defenses,” Bossert said.
@TomBossert45: Cybersecurity is misunderstood. Is more about cyber risk management. #Intelligence2017— George Seffers (@gseffers) September 6, 2017
He also indicated that some adversaries will continue their belligerent activities regardless of what the United States does. “We’re looking to punish them in a way that changes or modifies their behavior while also defending against what will continue to happen regardless of what we do to punish people. We see what a problem it is to apply pressure to the Venezuelan dictator or the North Korean regime,” Bossert stated.
He suggested the United States could learn lessons from both the United Kingdom and Israel. For example, in Israel, the government has the trust and the authority to protect the entire critical infrastructure. “They’re providing what I’ll call a virtual iron dome where they’ll defend everything from a government perspective. In their model, any bad incoming signature is something that’s subject to their immediate blocking or rejection,” he offered. “We could pursue something that narrowly allows us to do that only with the most critical users … within a carefully constructed set of bounds that allows for abuse and privacy concerns.”
@TomBossert45: Israeli model allows govt to protect everything. We could pursue a limited version of that#Intelligence2017— George Seffers (@gseffers) September 6, 2017
He described the current U.S. cyber defense system as “trigger-based,” suggesting it requires an event to trigger a response. He suggested the system needs far greater investment to be effective. "I would argue that if we’re going to keep it, we’re going to have to increase our capacity tenfold. We don’t have what it takes right now to see incoming malicious code and then get an FBI agent out fast enough to every potential target,” Bossert said, pointing out that a phishing attack, for example, can affect thousands of computers.
He also offered the possibility of a combination of the Israeli model and the current trigger-based system.